[1591] in Kerberos

home help back first fref pref prev next nref lref last post

Re: kerberos outside US

daemon@ATHENA.MIT.EDU (Joe Pato)
Fri Oct 4 19:57:37 1991

Resent-From: pato@apollo.com (Joe Pato)
From: pato@apollo.com (Joe Pato)
Date: Fri, 4 Oct 91 09:12:37 EDT
To: tytso@Athena.MIT.EDU
Cc: kerberos@mit.athena
In-Reply-To: tytso@athena.mit.edu, thu, 3 oct 91 18:20:33
Resent-To: kerberos@Athena.MIT.EDU

       From: pato@apollo.com (Joe Pato)
       Date: Thu, 3 Oct 91 17:18:19 EDT
    
       No, the OSF DCE sources ARE exportable.  The international edition
       comes without DES (and substitutes a singularly weak replacement -
       the identity function) and s fully functional when built (albeit
       insecure).  Foreign customers can then add any encryption algorithm
       they choose. 
    
    The last time MIT tried to export Kerberos (V4, to Australia), merely
    leaving out the encryption was not sufficient; we had to strip out all
    of the _calls_ to the DES routines; we couldn't just replace the DES
    routines with the identity function.  (For Kerberos V4, we used a
    program called "barracuda" which stripped out the appropriate subroutine
    calls to produce "bones".)  If you can find the appropriate barracuda to
    tell you that your approach is O.K., and your company is willing to risk
    incurring the wrath of the State and/or Commerce department, more power
    to you!
    
    						- Ted

I am the author of the export plan submitted to the State Department and the
NSA.  We have obtained Commerce Department jurisdiction for the export of OSF
DCE sources.  In addition we have created a domestic version of the sources
which allows vendors to construct binaries that use DES for authentication but
remain governed by Commerce Department regulations for export.  (This comes
at the price of removing all capabilities for application data confidentiality
in the international binary edition)  In early binary releases of the DCE, this
means that access to the MIT Kerberos V5 API is severely restricted (i.e., it
can only be consumed by the DCE Security component).  Access to authentication
and data integrity facilities are available through the DCE Security API.

                    -- Joe Pato
                       DCE Security Component Architect
                       Cooperative Object Computing Division / East
                       Hewlett-Packard Company
                       pato@apollo.hp.com
-------
home help back first fref pref prev next nref lref last post